Putting the person back into personal data protection

Written by Gloria González Fuster, a research professor at the Vrije Universiteit Brussel (VUB) and member of the Law, Science, Technology and Society (LSTS) Research Group, where she investigates legal issues related to fundamental rights, privacy, personal data protection and security, and lectures on fundamental rights protection in European Union (EU) law in the context of the Master of Laws in International and European Law (PILC).

Data protection law is nowadays a relatively popular subject. The countdown to May 2018, when the General Data Protection Regulation (GDPR) will become applicable, is generating more and more attention. In the meantime, many other connected issues keep triggering intense policy debates, and attracting curious and eager researchers: from the future of the upcoming ‘e-Privacy’ Regulation to forever controversial global data transfers; from the fluctuating privacy/security dichotomy to the contentious frictions between fundamental rights safeguards and innovation, data protection law regularly finds itself directly under the spotlight of important political, societal and scientific discussions.

From an academic perspective, the appeal of data protection is unquestionable, at least for researchers captivated by both law and technology. It requires indeed a minimum understanding of how both function, and represents a constant invitation to reflect on the many articulations between them. Data protection is very much about attempting to regulate the way in which machines operate, and thus demands thinking about what machines do (or could, or should do) with data, about the algorithms playing with such data, and about how these can (or should) be made to work differently. All this is, for sure, tremendously attractive for the geek hiding inside every contemporary legal scholar.

Beyond data and technology, and beyond machines and algorithms, personal data protection is, however, also about something else. It is, actually, also about somebody else: the individuals to whom the data are related. Data protection law does indeed not apply for the sake of trying to regulate automated data processing, or merely because new technologies maybe cannot be trusted to behave properly on their own. Data protection law applies insofar as data relate to somebody, and primarily because our societies consider capital to protect the individuals connected to, and thus associated with, the processed data. It is them, that is, the people who data protection law reverently calls ‘data subjects’, who ultimate justify the existence of any data protection legislation.

In spite of this inherent, crucial link between the person and personal data protection law, data subjects remain to a great extent ‘an explored subject’ in data protection literature. Compared to the thousands of pages written about the challenges and anxieties of those who process personal data, there is proportionately very little published about the concerns, interests and wishes of the individuals whose data are processed. As a matter of fact, there is not much available about how data subjects are to be legally envisioned, or even conceptually framed; about what they supposedly know, what they possibly ignore, and what presumably matters for them.

The GDPR, in a novel fashion, put on the table the fact that some data subjects might be younger than others, and have thus potentially different needs and problems. Time has come, perhaps, for researchers to investigate more closely whether indeed data subjects might come in different shapes, and with different abilities and priorities, as well as what could be the profile of the ideal, average data subject on which EU data protection is seemingly being erected; more generally, to ask the question of who are the data subjects, and to stop approaching data protection law as a primarily impersonal, data-centric topic.